Product Documentation

For encrypting sensitive data using a General Purpose Key (GPK) previously stored on SAKA, the web service call requires the following parameters:

DID

The unique encryption domain identifier. This is a numeric integer that logically represents the context within which the GPK is stored.

username

The encryption domain username with the authorization to call this web service.

password

The password of the username to authenticate the credential of the requester.

gpktoken

The token of the GPK.

plaintext

The sensitive data that must be encrypted.

encoding

The encoding in which to process this transaction. Valid values are Hex and Base64. The iv parameter must be encoded in this format. The ciphertext returned by this web service will be returned in this encoding.

algorithm

The algorithm transform to use for this encryption. The transform must be in the form of “algorithm/mode/padding.”

iv

An Initialization Vector to be used for this encryption. For ECB-mode encryption, the iv should be null.

aad

The Additional Authenticated Data which can be included in GCM-mode encryptions. This value can be null, even in GCM mode (in which case AAD is not required).

When SAKA receives the request, it first verifies the credentials presented against its internal database or an LDAP directory server (depending on which is configured), and then determines their authorization to request the encryption service by determining if they are a member of both the EncryptionAuthorized group and DecryptionAuthorized group (decryption authorization is necessary to access the GPK key). Note that if using LDAP, these groups and their members must be created in the LDAP directory as a distinct task of the SAKA installation and configuration process; when using the SAKA internal database, this is performed automatically.

If the requester is authorized, SAKA locates and decrypt the GPK key. SAKA then initializes the encryption cipher using the algorithm and optionally iv and aad specified in the web service. The web service has been tested with the following algorithms:

  • AES/ECB/ZeroBytePadding
  • AES/ECB/PKCS7Padding
  • AES/ECB/TBCPadding
  • AES/ECB/X9.23Padding
  • AES/ECB/ISO7816-4Padding
  • AES/ECB/ISO10126-2Padding
  • AES/CBC/ZeroBytePadding
  • AES/CBC/PKCS7Padding
  • AES/CBC/TBCPadding
  • AES/CBC/X9.23Padding
  • AES/CBC/ISO7816-4Padding
  • AES/CBC/ISO10126-2Padding
  • AES/OFB/NoPadding
  • AES/CFB/NoPadding
  • AES/GCM/NoPadding

 

Upon encrypting the data, SAKA encodes the encrypted bytes using the encoding specified in the web service and returns it to the calling application.